To CISSP or Not to CISSP – Part 2

December 30, 2010 · Posted in Information Security, Information Systems 

Continued from: To CISSP or Not to CISSP – Part 1

Let’s look at what another non-fan of the cert thinks about the cert. In his blog entry he quoted another blog that stated:

“I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.”

He then followed up by stating:

That is ridiculous. I would expect someone who wants to be considered as a “security professional” to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.”

Again, if the cert is all about the question of competence the assertion above is very valid. I can also understand why many feel that it is a question of competence, because it is marketed by the cert’s proponents that way. Not to mention, the title of the cert also implies it that way. All that said, however, once again it misses the entire point.

Let’s look at ISC2’s marketing spiel on why one should certify as a CISSP:

Benefits of Certification to the Professional

  • Demonstrates a working knowledge of information security
  • Confirms commitment to profession
  • Offers a career differentiator, with enhanced credibility and marketability
  • Provides access to valuable resources, such as peer networking and idea exchange

Benefits of Certification to the Enterprise

  • Establishes a standard of best practices
  • Offers a solutions-orientation, not specialization, based on the broader understanding of the (ISC)² CBK
  • Allows access to a network of global industry and subject matter/domain experts
  • Makes broad-based security information resources readily available
  • Adds to credibility with the rigor and regimen of the certification examinations
  • Provides a business and technology orientation to risk management

Let’s look at the bullet points that state Demonstrates a working knowledge of information security” and “Allows access to a network of global industry and subject matter/domain experts.” If we keep the reasons within these two contexts on as to why one wants to be a CISSP and why one would want to hire a CISSP then the negative assertions are entirely true.

However, for the same reason as to why a college grad has a leg-up over a high-school grad. A CISSP has a leg up over non-CISSP for the intangibles that it brings beyond competence.

College and attaining certification brings upon a certain discipline that is not easily measured in areas of direct competence or skill. It goes beyond that. It molds the individual into a certain character that prepares that individual on how to handle situations; more often than not how to handle a situation professionally. Before I continue, I would like to make it clear that I am not dissing high-school grads or non-cert professionals. I have worked with and know of high-school grads who can work with the best of them and college grads, who are nothing more than dirt bags. I have also employed folks who don’t hold a single cert, but I would not dare let them go because of the value that they bring to the company and folks who have all the accreditation in the world, but don’t have a clue on how to tie their shoe laces even if you showed them how. Okay that last part is a tad bit of exaggeration, but you get the point. (I hope ;-) …).

The two contractors that I have been talking about neither have the college education nor the accreditation to prove their qualification for the work that we do. However, I believe that they interviewed well and they made their resumes look good. Key things that one learns in college and in taking certifications are the value of professionalism and ethics. One learns very early on the importance of NOT BURNING BRIDGES in your professional life since it has a great potential of haunting you endlessly down the road. I will admit for all accounts and purposes, these two guys probably already know this and it is just a matter of their value system. But then again, I digress.

A CISSP cert, or any other cert or a college degree primarily helps “Confirms one’s commitment to a particular profession.” As that guy who locked himself up for two months to study for the exam or as I have done to prepare for the exam, it shows commitment. It shows dedication. The cert does not prove by any means that I am a better security professional than the two other contractors who did not have the cert or to the detractors of the cert. It just shows my willingness to commit and dedicate myself and my willingness to learn. If I can dedicate myself to learn such complex ideas that may or may not have anything to do with my work, then I may be able to dedicate myself to learn the processes, procedures and politics of the company that I will be working for.

And employers know this. As a former hiring manager myself, I value college education and certifications to the extent that I immediately know that the individual who is applying for the job took the time and had the discipline to dedicate him or herself to a particular goal and objective and achieved it. There is no quicker way to prove to someone, especially to employers, that you are capable of achieving something better than a college degree or an industry-recognized certification.

There is another point that I want to make. This is again coming from the Veracode blog:

  • “Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper.”

In this job market, I would say good luck with that. Not only does the Fortune 1 company, also known as the US Department of Defense, requires that you attain security certifications if you want to get a job or keep your job in the department (Google DoD 8570.1 for a quick FYI), and the rest of the Fortune 1000 companies worth their salt puts value in the cert because of a variety of reasons including the reason I’ve already mentioned above.

If you are one of the lucky few who have all the experience in the world with a really stellar could not be turned down, shining diamond in the middle of a pile of coal. More power to you. Unfortunately, not many of us are such diamonds.

Also isn’t your resume also just a piece of paper? Looking at the resume of the two contractors that I kept mentioning in this entry and knowing these two personally, I believe that they are nowhere close to having the experience and not to mention have the titles that they claim in their resume. Those claims go a little beyond your average “white lie.”

An accreditation is not the main thing, but rather one of the first things that can help an employer verify a person’s claim about his or her experience and background. Someone might retort, that’s what references are for. Seriously, nobody ever thought of having his/her best buddy pose as his/her former manager?

Let me finalize this entry by talking about why I decided to take the exam in the first place. As I mentioned earlier in this entry was essentially “to build my street cred” or as ISC2 put it:

  • Offers a career differentiator, with enhanced credibility and marketability

Ladies and gentlemen, a certification, a college degree and whatever accreditation that you have, truly has very little to do with your competence or true skill set. Such competence and skill set you can build through dedication to your work and experience and you can’t be dedicated to your work or you can’t build your experience unless you get hired. (Unless of course you got all the resources to make yourself your own boss and run your own business, some of us do, but a whole lot many of us don’t). All the swag, all the acronyms and that piece of paper is all about MARKETING. Yes ladies and gents, it is not a testament to your technical skills, but instead a testament to your marketability.

While I was doing work with a government contractor and we are in the process of sub-contracting with the big guys to go after a particular government contract, the prime contractor will typically ask our company, “What is your key differentiator?” In other words, why should I include you in my team versus the other guy? What have you achieved? There is no faster way to tell them about our achievements than show them the company’s certifications.

Is an ISO-this or CMMI-that certified company better than a company who’s been in existence for over 20 years? Probably and more than likely not, but it shows the company’s dedication to becoming better at what they do. A personal certification is no different.

The alphabet soup of acronyms that you tag along your last name such as CISSP, PMP, CISM, MCSE, CISA, CEH, etc. are the big banners that tells employers that you are a capable individual who can achieve your goals and objectives. AND BUSINESSES ARE ALL ABOUT ACHIEVING GOALS AND OBJECTIVES.

As to the value of the CISSP to me personally and my own doubts about its true value, first look at my entries “A Series of Funny Things Happened on the Way to San Francisco – Part 1 and Part 2.” Both companies, decided to interview me because I had a differentiator in my resume and guess what it was: CISSP.

The cert was not the key reason why both companies decided to give me an offer, but rather because I was able to effectively articulate my value to both companies during the interview process. I also did not get hired on full-time by the company I am working for now and essentially getting paid what I believe is my market value because of the CISSP cert, but rather because I have proven my competence in my line of work. However, all of these would not have happened if that five letter acronym was not tagging along my last name.

The bottom line, if you are looking for a CERT THAT WILL PROVE to employers how good you are at what you do, then CISSP is not it. I can’t think of any cert out there that does that. But if you are looking for a cert that will help open doors SO YOU CAN PROVE to employers that you are worth your salt, then CISSP and a multitude of other certifications will do the trick.

Bookmark and Share

Thought you should know, etc... Update

Epic Tech IPOs: Triumphs, a Travesty, and a Tragedy

A look back at some of the most successful tech IPOs ever, and some that didn't go as well

Zuckerberg's Social Graph

From board members and employees to fellow CEOs, Facebook alumni, and others

Pinterest Stake Fuels Rakuten's Quest to Be a Global Player

Rakuten's spending spree continues with a $100 million stake in photo-sharing site Pinterest

Facebookmania Begins

The social network makes its long-awaited debut in the public market

Nine Things You Should Know About Facebook's IPO

Before diverting your child's college savings fund to invest in Facebook stock, read our take on the biggest "liquidity event" of the social-media era

Tags: , , ,

Comments

6 Responses to “To CISSP or Not to CISSP – Part 2”

  1. Things I Learned Last Week: 01/02/2011 – 01/09/2011 on January 10th, 2011 7:32 am

    [...] To CISSP or not to CISSP Part 2 [...]

  2. kelly on January 11th, 2011 8:56 am

    You make statements without real merit. You state that the DoD requires CISSP well I have a friend working for the DoD who does not have his CISSP. In addition I am more inclined to agree with the statements from the other bloggers. Another friend of mine (contracting firm) was trying to fulfill a full time security professional for a bank in Philly. He sent numerous CISSP candidates over but the client felt non of them were qualified. If I was hiring for a position and the candidate only had the CISSP that would not tell me anything. If they had the college degree that actually tells me something. I find it repelling that you compare the CISSP in a sense to a college education due to the dedication. Not even a comparison. There is a small degree of dedication for the CISSP. A colleague and friend of mine did the CISSP in a week through a the intense school boot camp and another just read Shon Harris book and they both passed. I would not call that dedication. They are both qualified security professionals, but that is not the case for everyone. During my time at a bank in Charlotte the company had all there full time professionals get certified and this to me proves that this is just a paper certification because I worked with individuals that were just plain lazy and really on the border of being classified as a security professional. Most were just clickers. Step through the checkpoint firewall click this, click that, and pray they did not cause an issue. Ask them to subnet, forget about it, but they all had CISSPs.

    My current employer wants me to obtain this certification and that is fine but I would never base this cert high in my book for hiring a security professional. My current employer was looking for a Information Security Manager for 6 months where I heard they interview several CISSP candidates until I placed my resume in at the job. All I put on my resume was CISSP in progress to get around the CISSP requirement and to get my resume in the right hands. I landed the job. Are there qualified CISSP, sure. Are their more unqualified CISSPs, absolutely, and those are the folks that could not tie their own shoes as you put it. I would bring in a pen tester certification candidate before bring in a CISSP for an interview and it would not depend on the security position. The breadth of knowledge and know how will most likely come from the pen tester. Not always the case I know that but 9 times out of 10 it would.

    This is just my personal and professional opinion. Ten years of working directly in security and 15 years overall information technology.

    Kelly

  3. TheDon on January 11th, 2011 3:05 pm

    @Kelly: “You make statements without real merit. You state that the DoD requires CISSP well I have a friend working for the DoD who does not have his CISSP.” -> How is it without merit when it is right there in the directive? http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

    As for your friend, well more power to him. As a former military, my favorite catch phrase was “Hurry up and wait.” This essentially shows how the DoD can work in a knee-jerk way but then later move slowly. But when it catches up it will behoove you to be prepared. I am also a former contractor and we’ve placed several folks who are right now on the brink because they do not have the cert. As anything in life, however, there are exceptions to the rule. But debunking the merit of another person’s assertion based on an exception, I believe, how do I put it, “is without merit”.

    The “exception to the rule” seems to be the theme of your comment here. Again, more power to anyone who can regurgitate the 10 domains and several hundred pages of information present in the CISSP books in one boot camp or one week of study. Not all of us are so gifted. Again, CISSP is not proof of competence or how good you are, it is just a proof of your potential and what you are willing to do and achieve. Other than that, well its all up to the hiring process or if you are in the job, up to your performance.

    Finally, not once did I say nor implied that a CISSP, any accreditation, college degree or what-have-you is a surefire ticket to getting a job or keeping a job. If that is the case, then there will be more CISSPs out there. Also if CISSP is the be-all and-all meal ticket, then there was no need for the multiple layers of interviews, technical skills tests, background checks, reference checks, etc, that I go through (and many of us do) to land a job.

    Anybody can obviously get a job or keep a job based on the merits of their experience and performance. However, I don’t think it is a good idea to short change yourself, by getting missed out simply because you don’t have the cert, training, accreditation or education. Rightly or wrongly, it is the organizations who defines their requirements, it is their game. We all just play in it, the best we can do is either play the cards we are dealt or use the aces up in our sleeves.

  4. TheDon on January 11th, 2011 3:32 pm

    @Kelly again –
    BTW: “All I put on my resume was CISSP in progress to get around the CISSP requirement and to get my resume in the right hands.” -> I don’t know if you even realize it, but you essentially drove home the point. The CISSP will get your resume in the right hands. That was it. Even though you don’t have it, you relied on it. Some folks just felt it best to follow through with their promise though and really became CISSP.

  5. Jeff on January 16th, 2011 3:35 pm

    Well said Thedon. Certs do not prove that you are the “end all be all” for that particular area you’re getting the certification in. The problem is at this point, what else do we have? Take 8570 for instance – having done instruction (with darn good pass rates) for both Sec+ and CISSP I can tell you that there was not one person who took a class and sat for a certification exam (or even just studied on his/her own) that did not know more about infosec than when he/she started to study. You can’t help but learn something. 8570 is admittedly flawed, but at this point it’s the best we’ve got. And again – you can’t tell me that even the the people that are good at memorization and taking tests haven’t picked up something they can apply infosec-wise.
    For anybody on the fence about the CISSP – it is a grueling test. A lot of the critiques I’ve read are from people who have not taken the exam. Studying, sitting for the exam and passing it (as is stated very well in these two blog postings) shows above all else that you can commit to something and follow through. It’s hard.
    I myself really dislike certs. Most don’t prove that you know your stuff. Am I glad I have my CISSP and CISA (and the rest of the alphabet soup)? You bet. Have they gotten me places I would not have gotten to without them? You bet. Is there a better way right now to consistently set a bar as far as knowledge when you’re talking tens of thousands of people? Nope.
    Please excuse any typos in this – typing it on my phone.

  6. TheDon on January 19th, 2011 6:00 pm

    Amen ;-)

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    December 2010
    M T W T F S S
    « Oct   Jan »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  

  • RSS From the National Vulnerability Database

    • CVE-2012-1090 (linux_kernel) May 16, 2012
      The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO. […]
      nvd@nist.gov
    • CVE-2012-2123 (linux_kernel) May 16, 2012
      The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process […]
      nvd@nist.gov
    • CVE-2012-0044 (linux_kernel) May 16, 2012
      Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call. […]
      nvd@nist.gov
    • CVE-2012-2121 (linux_kernel) May 16, 2012
      The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices. […]
      nvd@nist.gov
    • CVE-2012-0207 (linux_kernel) May 16, 2012
      The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets. […]
      nvd@nist.gov
    • CVE-2012-1601 (linux_kernel) May 16, 2012
      The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. […]
      nvd@nist.gov
    • CVE-2011-4621 (linux_kernel) May 16, 2012
      The Linux kernel before 2.6.37 does not properly implement a certain clock-update optimization, which allows local users to cause a denial of service (system hang) via an application that executes code in a loop. […]
      nvd@nist.gov
    • CVE-2012-1179 (linux_kernel) May 16, 2012
      The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages. […]
      nvd@nist.gov
    • CVE-2012-0879 (linux_kernel) May 16, 2012
      The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context. […]
      nvd@nist.gov
    • CVE-2012-1146 (linux_kernel) May 16, 2012
      The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes